PDA

View Full Version : Virtumonde hating.



LBrider
2008-03-31, 04:38
Spybot S&D tells me it has removed virtumonde, but it keeps reappearing. Here's the HJT log, please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:54 PM, on 3/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Portrait Displays\forteManager\dthtml.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-3998126492-281048955-1198320686-1000 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User '?')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Hawking Wireless Utility.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 10493 bytes

ken545
2008-03-31, 20:06
Hello LBrider

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

I am not looking at any Vundo on your log, not to say it could be hiding .

Lets do a few things, disable the TeaTimer in Spybot as it will interfere with changes we make

Download Reset Tea Timer (http://downloads.subratam.org/ResetTeaTimer.bat) to your desktop, you need to use Internet Explorer, double click it to run, just takes a sec.

REBOOT YOUR COMPUTER




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =



Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html)

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.



The thieves that have written Vundo have written it to go undected by Hijackthis so we need to rename it to something else so those entries will show up on your log.

This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe

Post the Kaspersky report and a new HJT log renamed please.

LBrider
2008-04-02, 06:51
Hi Ken,

Here is the HJT log along with the Kaspersky log you requested. Thank you for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:28 PM, on 4/1/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Portrait Displays\forteManager\dthtml.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C08E82B-A9AD-4E90-B22C-4086E70D667C} - (no file)
O2 - BHO: (no name) - {353F2DC7-1F4E-48F9-A18A-C8579EF798D3} - (no file)
O2 - BHO: (no name) - {4840B3BA-9B86-498D-8BF2-09C82363FF13} - (no file)
O2 - BHO: (no name) - {5C197F1A-5DDE-476C-ABC4-8107C3D4E298} - (no file)
O2 - BHO: (no name) - {60A63C56-73AA-40C2-9839-B1CCAD9B6024} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BA1DFAAF-E860-4ACC-AFC4-FB0981F8B695} - (no file)
O2 - BHO: (no name) - {BD0BB58C-319A-439D-8816-A73F0E143779} - (no file)
O2 - BHO: (no name) - {C638BB21-21A0-443F-AAC5-5F6AC4537CE3} - (no file)
O2 - BHO: (no name) - {D46C7398-2525-4415-99F3-A7934C281979} - C:\Windows\system32\awtss.dll
O2 - BHO: (no name) - {E018DB38-8048-49A9-AF3C-B80A68DC9541} - C:\Windows\system32\awtss.dll
O2 - BHO: (no name) - {EC2FF8DA-F8B3-4FC2-89A6-C157332E80E0} - (no file)
O2 - BHO: (no name) - {EF15A517-018F-48C1-BCFB-A6593D67C6AA} - (no file)
O2 - BHO: (no name) - {F1520B28-9BE2-4518-9E67-76F4BAA6C98D} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - S-1-5-21-3998126492-281048955-1198320686-1000 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User '?')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Hawking Wireless Utility.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 10782 bytes

LBrider
2008-04-02, 06:52
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 01, 2008 8:36:07 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 607771
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 96652
Number of viruses found 2
Number of infected objects 11
Number of suspicious objects 18
Duration of the scan process 01:23:01

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU63A2.txt Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.191.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.191.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy480.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf6814.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf6815.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050253.log Object is locked skipped
C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Ryan\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Ryan\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Ryan\AppData\Local\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Users\Ryan\AppData\Local\AOL OCP\AIM\Storage\data\ryster018\localStorage\common.cls Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat{c3233a2f-447b-11dc-84b3-8c688ab02ccf}.TM.blf Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat{c3233a2f-447b-11dc-84b3-8c688ab02ccf}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows\UsrClass.dat{c3233a2f-447b-11dc-84b3-8c688ab02ccf}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows Defender\FileTracker\{58C0E886-5492-430D-ACF1-041854E51789} Object is locked skipped
C:\Users\Ryan\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Ryan\AppData\Local\Mozilla\Firefox\Profiles\c36cvji6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Ryan\AppData\Local\Mozilla\Firefox\Profiles\c36cvji6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Ryan\AppData\Local\Mozilla\Firefox\Profiles\c36cvji6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Ryan\AppData\Local\Mozilla\Firefox\Profiles\c36cvji6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Ryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Ryan\AppData\Local\Temp\~PI1186.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PI2E20.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PI31F4.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PI4DBF.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PI5548.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PI9484.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PIAD6C.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PIBE0E.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PIDFC8.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PIE34D.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Local\Temp\~PIEF30.tmp Infected: Exploit.Win32.MS04-028.gen skipped
C:\Users\Ryan\AppData\Roaming\acccore\nss\cert8.db Object is locked skipped
C:\Users\Ryan\AppData\Roaming\acccore\nss\key3.db Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\cert8.db Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\formhistory.dat Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\history.dat Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\key3.db Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\parent.lock Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\search.sqlite Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\c36cvji6.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... ... /[From Sarah Estab ... /[From eBay ][Date Sat, 22 Apr 2006 14:51:14 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... ... /[From Sarah Estabrook ][Date Fri, 14 Apr 2006 07:36:37 -0700 (PDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... ... /[From Sar ... /[From "Reza Toossi" ][Date Sun, 6 Nov 2005 11:17:05 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... ... /[From Sarah Estabrook ][Date Sun, 6 Nov 2005 14:59:04 -0800 (PST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... ... /[From "Jeffrey Kalama, Jr." ][Date Sun, 6 Nov 2005 21:36:26 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... /[From Hewlett ... /[From "Hamid Rahai" ][Date Tue, 15 Nov 2005 10:06:42 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... /[From Hewlett-Packard Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 D ... /[From Hewlett-Packard ][Date Fri, 02 Dec 2005 00:51:55 PST]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22 ... /[ ... /[From "Brandon Keller" ][Date Fri, 02 Dec 2005 21:29:01 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22 ... /[ ... /[From "Brandon Keller" ][Date Sun, 04 Dec 2005 13:58:19 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22 ... /[From Matt Scholfield ][Date Mon, 5 Dec 2005 07:18:03 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22 ... /[Fro ... /[From "fred aleman" ][Date Mon, 05 Dec 2005 12:23:58 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22 ... /[From Matt Scholfield ][Date Tue, 6 Dec 2005 12:33:06 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED/[From Hewlett-Packard ][Date Wed, 07 Dec 2005 22:32:20 PST]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED/[From "eBay" ][Date Mon, 12 Dec 2005 04:46:43 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED/[From "Jeffrey Kalama, Jr." ][Date Mon, 12 Dec 2005 19:43:37 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL/[From =?iso-8859-1?Q?KEN_MASSE-_The_Next_Sheriff?= ][Date Thu, 6 Apr 2006 17:19:00 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Users\Ryan\AppData\Roaming\Thunderbird\Profiles\3o2qt4gf.default\Mail\Local Folders\OLD WEBMAIL Mail Berkeley mbox: suspicious - 17 skipped

LBrider
2008-04-02, 06:53
C:\Users\Ryan\AppData\Roaming\XemiComputers\Active Desktop Calendar\Data\Active Desktop Calendar.xdat Object is locked skipped
C:\Users\Ryan\AppData\Roaming\XemiComputers\Active Desktop Calendar\Log\ADC Errors Log.txt Object is locked skipped
C:\Users\Ryan\AppData\Roaming\XemiComputers\Active Desktop Calendar\Log\ADC Internet Errors Log.txt Object is locked skipped
C:\Users\Ryan\AppData\Roaming\XemiComputers\Active Desktop Calendar\Log\ADCLog.log Object is locked skipped
C:\Users\Ryan\Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Users\Ryan\ntuser.dat Object is locked skipped
C:\Users\Ryan\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Ryan\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Ryan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf Object is locked skipped
C:\Users\Ryan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Ryan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\CSC\v2.0.6\pq Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3d4e88e9-6a70-11db-b1ba-d64300c9c793}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3d4e88e9-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3d4e88e9-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3d4e88e5-6a70-11db-b1ba-d64300c9c793}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3d4e88e5-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3d4e88e5-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{8DE0BB70-5A67-4FDE-928A-A2D73D60EF95}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
Scan process completed.

ken545
2008-04-02, 12:13
Good Morning,

There it is :sad: Lets do this.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {2C08E82B-A9AD-4E90-B22C-4086E70D667C} - (no file)
O2 - BHO: (no name) - {353F2DC7-1F4E-48F9-A18A-C8579EF798D3} - (no file)
O2 - BHO: (no name) - {4840B3BA-9B86-498D-8BF2-09C82363FF13} - (no file)
O2 - BHO: (no name) - {5C197F1A-5DDE-476C-ABC4-8107C3D4E298} - (no file)
O2 - BHO: (no name) - {60A63C56-73AA-40C2-9839-B1CCAD9B6024} - (no file)
O2 - BHO: (no name) - {BA1DFAAF-E860-4ACC-AFC4-FB0981F8B695} - (no file)
O2 - BHO: (no name) - {BD0BB58C-319A-439D-8816-A73F0E143779} - (no file)
O2 - BHO: (no name) - {C638BB21-21A0-443F-AAC5-5F6AC4537CE3} - (no file)
O2 - BHO: (no name) - {D46C7398-2525-4415-99F3-A7934C281979} - C:\Windows\system32\awtss.dll
O2 - BHO: (no name) - {E018DB38-8048-49A9-AF3C-B80A68DC9541} - C:\Windows\system32\awtss.dll
O2 - BHO: (no name) - {EC2FF8DA-F8B3-4FC2-89A6-C157332E80E0} - (no file)
O2 - BHO: (no name) - {EF15A517-018F-48C1-BCFB-A6593D67C6AA} - (no file)
O2 - BHO: (no name) - {F1520B28-9BE2-4518-9E67-76F4BAA6C98D} - (no file)

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe




Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



C:\Users\Ryan\AppData\Local\Temp\~PI1186.tmp
C:\Users\Ryan\AppData\Local\Temp\~PI2E20.tmp
C:\Users\Ryan\AppData\Local\Temp\~PI31F4.tmp
C:\Users\Ryan\AppData\Local\Temp\~PI4DBF.tmp
C:\Users\Ryan\AppData\Local\Temp\~PI5548.tmp
C:\Users\Ryan\AppData\Local\Temp\~PI9484.tmp
C:\Users\Ryan\AppData\Local\Temp\~PIAD6C.tmp
C:\Users\Ryan\AppData\Local\Temp\~PIBE0E.tmp
C:\Users\Ryan\AppData\Local\Temp\~PIDFC8.tmp
C:\Users\Ryan\AppData\Local\Temp\~PIE34D.tmp
C:\Users\Ryan\AppData\Local\Temp\~PIEF30.tmp
C:\Windows\system32\awtss.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.



Post the OTMoveIt log, the Malwarebytes log and a New HJT log please

LBrider
2008-04-03, 05:05
Alrighty...

When I ran OTMoveIT, I had to reboot so I was not able to get a log of the results. I ran OTMoveIT again after everything and these are the results I got. The Malwarebytes log and new HJT log follow as well:

OTMoveIT

File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI1186.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI2E20.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI31F4.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI4DBF.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI5548.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PI9484.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PIAD6C.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PIBE0E.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PIDFC8.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PIE34D.tmp not found.
File/Folder C:\Users\Ryan\AppData\Local\Temp\~PIEF30.tmp not found.
LoadLibrary failed for C:\Windows\system32\awtss.dll
C:\Windows\system32\awtss.dll NOT unregistered.
C:\Windows\system32\awtss.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04022008_190121

Malwarebytes' Anti-Malware 1.10
Database version: 586

Scan type: Quick Scan
Objects scanned: 31906
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\awtss.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\nysuxunx.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d70969d-3ec0-48ed-89cd-d0a26caed2e4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d70969d-3ec0-48ed-89cd-d0a26caed2e4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7df5e58a-319b-404b-a942-e1c314d459b8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7df5e58a-319b-404b-a942-e1c314d459b8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85a9c42e-29db-438a-8d09-a056493b9471} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97efc0f4-bf61-4f12-8143-d1c5a30f7aaf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06255b17-dbb3-478a-b54a-4ea5b5842f6e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc78d83e-c7c7-45b7-92b8-6fc5e52496ae} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dc78d83e-c7c7-45b7-92b8-6fc5e52496ae} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1dd27cfe-14ea-43f2-887b-d9a26ac19b5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b805d512-7a46-40e7-8ce9-352fdf276feb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dac8175d-2abc-4150-99eb-db809475cac5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db633303-ecc4-42ec-9109-7e186c0638ff} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{85a9c42e-29db-438a-8d09-a056493b9471} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtss.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtss.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\awtss.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\sstwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\sstwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ghekxikp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pkixkehg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nysuxunx.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\xnuxusyn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ondvvoal.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\laovvdno.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\loneotci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnwbkcew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nrianfbc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rywtwpbh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ywjotroq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Ryan\Local Settings\Temporary Internet Files\Content.IE5\K2KDYTIR\ptch[2] (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:32 PM, on 4/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Portrait Displays\forteManager\dthtml.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [16ff06d8] rundll32.exe "C:\Windows\system32\nysuxunx.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - S-1-5-21-3998126492-281048955-1198320686-1000 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User '?')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Hawking Wireless Utility.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 9651 bytes

ken545
2008-04-03, 05:14
Hello,

Looks like we got a great deal of it removed but you still have an entry in your log for Vundo and there may be a bit more installed we cant see.


I would like you to run Combofix, nothing to install, just download it to your desktop and with Vista you may have to right click on it and Run as Administrator. Try running it normally first.


Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

LBrider
2008-04-04, 05:32
Alright, I just got done running ComboFix and HJT. Here are the logs that were produced. Thank you for your help!

ComboFix 08-04-03.3 - Ryan 2008-04-03 19:21:18.1 - NTFSx86

Running from: C:\Users\Ryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\StreamPlug.dll
C:\Windows\system32\nysuxunx.dll
C:\Windows\System32\sstwa.ini
C:\Windows\System32\xnuxusyn.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 01:33 --------- d-----w C:\Users\Ryan\AppData\Roaming\Malwarebytes
2008-04-03 01:33 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-03 01:33 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-02 01:20 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-02 01:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 04:24 262,144 ----a-w C:\ntuser.dat
2008-04-01 04:21 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-03-31 04:08 --------- d-----w C:\Users\Ryan\AppData\Roaming\LimeWire
2008-03-29 23:55 --------- d-----w C:\Program Files\Trend Micro
2008-03-27 04:35 --------- d-----w C:\ProgramData\Lavasoft
2008-03-27 04:32 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 04:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 02:50 24,576 ----a-w C:\Windows\System32\VundoFixSVC.exe
2008-03-24 03:33 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-24 03:28 --------- d-----w C:\ProgramData\Nero
2008-03-24 02:15 --------- d-----w C:\Users\Ryan\AppData\Roaming\uTorrent
2008-03-24 02:12 102,664 ----a-w C:\Windows\system32\drivers\tmcomm.sys
2008-03-24 01:48 --------- d-----w C:\Program Files\NeroInstall.bak
2008-03-20 12:57 --------- d-----w C:\Program Files\Java
2008-03-17 04:13 --------- d-----w C:\Users\Ryan\AppData\Roaming\ZoomBrowser EX
2008-03-17 04:13 --------- d-----w C:\ProgramData\ZoomBrowser
2008-03-12 13:09 --------- d-----w C:\Program Files\Windows Mail
2008-03-12 12:29 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-06 05:25 --------- d-----w C:\Program Files\Cedelia
2008-03-02 17:00 --------- d-----w C:\Program Files\LG Electronics
2008-03-02 03:11 --------- d-----w C:\Program Files\BitPim
2008-03-02 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 02:38 --------- d-----w C:\Program Files\Verizon Wireless
2008-03-02 02:08 65,536 ----a-w C:\Windows\IFinst27.exe
2008-02-29 04:42 --------- d-----w C:\ProgramData\NVIDIA
2008-02-28 20:26 1,414,440 ----a-w C:\Windows\System32\ShellManager310E2D762.dll
2008-02-27 03:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-25 13:46 --------- d-----w C:\Program Files\RALINK
2008-02-21 07:30 --------- d-----w C:\Program Files\Bonjour
2008-02-13 17:23 --------- d-----w C:\Program Files\iTunes
2008-02-13 17:23 --------- d-----w C:\Program Files\iPod
2008-02-13 17:20 --------- d-----w C:\Program Files\QuickTime
2008-02-13 15:44 --------- d-----w C:\Program Files\LimeWire
2008-02-13 07:34 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 07:34 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 07:31 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 07:31 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 07:31 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 07:31 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-13 07:31 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 07:31 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 07:31 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 07:31 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 07:30 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 07:30 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 07:30 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 07:30 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 07:30 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 07:29 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 07:29 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 07:29 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 07:29 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 07:29 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 07:29 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-13 07:27 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 07:27 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 07:27 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 07:27 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-25 12:46 2,158,592 ----a-w C:\Windows\System32\RtkAPO.dll
2008-01-24 17:40 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-21 17:18 638,976 ----a-w C:\Windows\System32\RtkPgExt.dll
2008-01-17 15:22 4,907,008 ----a-w C:\Windows\RtHDVCpl.exe
2008-01-14 15:10 86,528 ----a-w C:\Windows\System32\AERTARen.dll
2008-01-14 15:10 135,168 ----a-w C:\Windows\System32\AERTACap.dll
2007-08-30 16:39 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-24 10:40 1232896]
"Aim6"="" []
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-08-27 11:08 3674112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-20 18:41 1006264]
"DT LGE"="C:\Program Files\Portrait Displays\forteManager\DTHtml.exe" [2007-06-12 12:32 291328]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 11:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 08:22 4907008 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-06 21:00 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 21:00 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-06 21:00 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-03-01 19:38:56 951640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{737A1025-A182-4F9D-A86F-A489960DC903}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{31741E9A-6356-4DB0-835F-2180C136CAFC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{5DEA8A3C-A522-4696-AB81-BC0FA5779E61}C:\\program files\\common files\\roxio shared\\9.0\\sharedcom\\roxwatchtray9.exe"= UDP:C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe:RoxMMTrayApp Module
"UDP Query User{11F2BBF5-6401-48E1-8268-AA67D1AED07D}C:\\program files\\common files\\roxio shared\\9.0\\sharedcom\\roxwatchtray9.exe"= TCP:C:\program files\common files\roxio shared\9.0\sharedcom\roxwatchtray9.exe:RoxMMTrayApp Module
"{67C1CD59-5E98-4BED-BF74-2538ED399374}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{00723487-923F-4106-BA52-B6C7779D12A4}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BFE5EE72-9524-4DC0-83C6-CBC636C1FF70}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{6FC02F34-FF0A-4F9E-9ACC-F7340F12D8DE}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{DC500809-E962-4453-87F2-F9E69AD289C1}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"TCP Query User{A9BA2549-2548-42CF-A769-FD54297984A2}C:\\users\\ryan\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\ryan\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{89CDB3B9-8180-4963-A04E-46A82B3F8756}C:\\users\\ryan\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\ryan\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"{3EE4E52C-2369-4B48-B4B9-BBC18DBE667A}"= C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.8\cnc3game.dat:Command & Conquer 3 Tiberium Wars
"{D2B94165-1BAB-4EA4-A3DE-809AD080286D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{2B880038-E307-4D4B-A062-9C89E00E5CC9}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{7B32B582-54C7-45A3-9CBB-46DC475367FF}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{84161D48-7047-41EE-B17A-F3C8B41127FC}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D5D705EF-68A1-4BC5-9BDD-E9F5EEDFBAF4}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{023A9E01-3D63-4D41-A8E5-2866D52F4436}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6AD5A20D-2E9B-4E31-B417-23D0B31C1A21}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{E9DCC8B8-B0BD-414B-A213-C16F1C6675F6}C:\\program files\\java\\jre1.6.0_02\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0_02\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{4D9C44E6-4EAF-432A-9EFE-387121D02A54}C:\\program files\\java\\jre1.6.0_02\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0_02\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{B5684D6B-6417-4F95-918D-BFBDFFFE4C39}C:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.9\\cnc3game.dat"= UDP:C:\program files\electronic arts\command & conquer 3\retailexe\1.9\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"UDP Query User{C0705E3B-3484-483F-BEF2-26769C8B08E2}C:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.9\\cnc3game.dat"= TCP:C:\program files\electronic arts\command & conquer 3\retailexe\1.9\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"{4E6A76E3-EDDF-417E-9690-181048C2C60C}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{937C8D98-BEAF-410B-94A9-633E24EC30F0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{E3E09460-3CA9-4D57-B547-B96C4160F42C}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{DBA53AB4-E77E-407B-87BC-B3281E6EEC59}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"{CADC4444-0625-4777-9F14-C3B52656E956}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B6D39788-41CA-440E-8CC5-500A0AAFAD97}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{77A63F71-975F-4ADD-8DD8-D5911F462B57}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{47E5D531-3635-44D2-916A-45A17E6D8DDA}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"TCP Query User{5A403C5A-1C35-4EDA-AEEB-1185E7723332}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{56CB041F-7306-49FF-9679-E7DA7B3472CF}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{89A422C9-3E97-4500-9415-33D220B04FC7}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{832CF7BE-6AA5-4E65-A1C9-E55B96B691FC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{136C0EEC-5E89-478D-BC75-7F257D3F8BF8}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B99CA617-AB70-4C80-979E-DF27421E100B}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{9DFC1460-FA58-4220-9F95-9DF6F6F2D99A}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C8B03CAC-DE70-4554-9C95-3F3A01D6797F}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5747CEDC-ECE6-45E0-925C-FD2E24FCD5AA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6295FB7F-89F2-40FC-88AD-00806F441B14}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{AF5969F6-4453-426E-A597-E87888151CAA}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{19118049-9CBE-4FDD-9E20-E184B6CDEF0E}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"TCP Query User{737F7DDD-103D-482D-94C0-3B01871E212A}C:\\program files\\bitpim\\bitpimw.exe"= UDP:C:\program files\bitpim\bitpimw.exe:Open Source Mobile Phone Tool
"UDP Query User{5ABF84B8-39C9-4312-B20E-D88FEB02C7ED}C:\\program files\\bitpim\\bitpimw.exe"= TCP:C:\program files\bitpim\bitpimw.exe:Open Source Mobile Phone Tool
"TCP Query User{F4659000-1DE6-4813-B368-FA6B1C148977}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:MSI starter
"UDP Query User{83DCA3EE-6B8C-4203-8C91-C70EC512A805}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:MSI starter
"TCP Query User{927BBD55-033E-42B7-9EE3-738AF8A3A0AA}C:\\users\\ryan\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:C:\users\ryan\appdata\local\temp\onlineupdate8\setupxu.exe:Nero Installer
"UDP Query User{7FCAA469-A00B-41AD-A7C2-0E821250AC94}C:\\users\\ryan\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:C:\users\ryan\appdata\local\temp\onlineupdate8\setupxu.exe:Nero Installer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 19:24:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Common Files\Portrait Displays\Shared\dthook.dll
-> C:\Program Files\Common Files\Portrait Displays\Shared\PresetsCOM.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
.
**************************************************************************
.
Completion time: 2008-04-03 19:28:07 - machine was rebooted [Ryan]
ComboFix-quarantined-files.txt 2008-04-04 02:27:58
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-02 12:28:05 --- E O F ---

LBrider
2008-04-04, 05:33
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:05 PM, on 4/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Portrait Displays\forteManager\dthtml.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\mobsync.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-3998126492-281048955-1198320686-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - S-1-5-21-3998126492-281048955-1198320686-1000 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User '?')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Hawking Wireless Utility.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 9302 bytes

ken545
2008-04-04, 06:22
Hello,

Things are looking better. There is a file I am concerned about, do this please.


You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)


Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\Windows\IFinst27.exe

LBrider
2008-04-07, 05:35
Hey Ken, sorry about the delay, I was out of town for the weekend. Here is the report generated by VirusTotal.

File IFinst27.exe received on 04.07.2008 04:19:55 (CET)
Current status: finished
Result: 2/32 (6.25%)


Antivirus Version Last Update Result
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.05 -
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.06 -
AVG 7.5.0.516 2008.04.06 -
BitDefender 7.2 2008.04.07 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.07 -
DrWeb 4.44.0.09170 2008.04.06 -
eSafe 7.0.15.0 2008.04.01 suspicious Trojan/Worm
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.06 -
F-Prot 4.4.2.54 2008.04.06 -
F-Secure 6.70.13260.0 2008.04.07 -
FileAdvisor 1 2008.04.07 -
Fortinet 3.14.0.0 2008.04.06 -
Ikarus T3.1.1.20 2008.04.07 Trojan-Downloader.Win32.Banload.TN
Kaspersky 7.0.0.125 2008.04.07 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.06 -
NOD32v2 3005 2008.04.06 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.06 -
Prevx1 V2 2008.04.07 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.07 -
Sunbelt 3.0.1032.0 2008.04.07 -
Symantec 10 2008.04.07 -
TheHacker 6.2.92.266 2008.04.05 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.06 -
Webwasher-Gateway 6.6.2 2008.04.05 -
Additional information
File size: 65536 bytes
MD5...: 9c17bca3ef837bacded7e4299508e71d
SHA1..: 253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0
SHA256: 2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193
SHA512: 12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a21
1e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x429940
timedatestamp.....: 0x3a2e957d (Wed Dec 06 19:37:33 2000)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x1a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x1b000 0xf000 0xec00 7.91 6651d2390d2f4d60a07cea9b1bf3450e
.rsrc 0x2a000 0x1000 0x1000 3.39 79f1a804b29384e18fb2b8c70a0e867d

( 8 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> ADVAPI32.dll: RegCloseKey
> GDI32.dll: BitBlt
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteA
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA

( 0 exports )
packers: UPX
packers: UPX
packers: UPX

ken545
2008-04-07, 12:06
Good Morning,

Lets delete that file, leave it in the Recycle Bin until you reboot and make sure it does not cause any issues. Let me know if it would not delete.



Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window


How is your system running now ?

LBrider
2008-04-14, 07:14
I used CCleaner and deleted that file. Everything seems to be running smoothly now. Thank you so much for your help!

ken545
2008-04-14, 07:49
Your very welcome, glad things are running better for you. :bigthumb:




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.13 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Glad we could help

Safe Surfn
Ken